hi,

i usually use bastille or shorewall to secure my client's installations/LANs. so about 2 weeks back i was going over some printouts and i found a default accept line in the INPUT chain and in some cases the FORWARD
chain. the funny thing is the user defined chains dealing with incominig traffic are placed after this default accept
making them useless.
if anyone else sees this problem please let me know. i'm now running my own fw scripts.
this has happened in several cases of bastille installs and one install of shorewall. so if no one else
is having the problem maybe i am misconfiguring it. i've double checked and rechecked the configs
and /sbin/bastille-netfilter too. so pls check your fw chains and see i there is a line which simply accepts all packets before any user defined chains
regards
penseur2

Which interface does this ACCEPT line refer to?
Is it accepting LAN traffic before it is sent out or accepting lo traffic.
?
You may need these if you have default DROP policies...

Regards,
Peter

it's accepting traffic from all interfaces including lo,ppp0 and eth0,eth1 and it does this before any of the logging
rules are in place, so there is no point in having any more rules after that rule.

Quite right !!

But, it's ok to have a line like this if all the DROP rules are before it.
It really depends on the default POLICY and whether filtering is done in the main chain or a sub chain.

Regards,
Peter